PRIVACY POLICY

Aeffe retail SPA with legal office in San Giovanni in Marignano (RN), via delle Querce 51 Tax Code and VAT no. 03177830407 in the person of the legal representative pro tempore (herein after also referred to as “Alberta Ferretti”), and Triboo Digitale S.r.l.,with legal office in Viale Sarca 336, Edificio sedici, 20126 Milan, VAT no./Tax Code and registration in the Business Registry of Milan IT02912880966 (herein after also referred to as “Triboo” and, with Alberta Ferretti, the “Data Controllers”) in quality of joint data controllers of the personal data of users/visitors (herein after, the “Users”) that browse website www.albertaferretti.com (herein after, the “Site”), invite you to view this privacy policy pursuant to art. 13 of EU Regulation no. 679/2016 (herein after “GDPR”) on the processing of your personal data, also containing important information on the management methods of the aforementioned site, in compliance with applicable laws and as further specified hereto.

This privacy policy is rendered exclusively for website “www.albertaferretti.com” and not for other websites potentially browsed by the user through links.

1. Processing scope

The Data Controllers will process identification personal data (for example only: name, surname, address, telephone number, email, etc., herein after also referred to as “Data”) freely disclosed by you during the purchase phase (e.g. through orders, etc.) of Alberta Ferretti products and/or anyhow products directly and/or indirectly linked to the latter, or when filling out and undersigning the Contract to purchase the afore-cited products, or those data conferred by you in order to exploit specific services offered by the Site, in addition to those (navigation data) data generally accessible by Data Controllers through IT systems and software procedures setup for site operation. In the last case, reference is made to personal data which transmission is implicit in the use of Internet communication protocols. This data category includes, among others, IP address or domain names of the computers used by the users connecting to the site, URI (Uniform Resource Identifier) addresses of the requested resources, request time, method used to submit the request to the server, size of the file obtained in response, numeric code indicating the response status given by the server (successful, error, etc.) and other parameters concerning the user’s operating system and IT environment.

2. Processing scope

Your data will be processed lawfully, according to upright principles, for the scopes described below.

A. With regards to navigation data: a) allow the Data Processors to obtain anonymous statistic information on the use of the Site and check correct operation; b) for security reasons (antispam filters, firewalls and virus detection), in order to block attempts at the detriment of the site or that may cause damage to users and, in any case, to avoid damaging activities or offences; c) execute any other function that is necessary or instrumental for site operation, among which the installation of technical cookies to improve the site functions, for which reference is made to the Cookie Policy d) allow the Data Processors to fulfil legal, accounting, tax, administrative and contract obligations related to the management of the site and supply of the requested services, as well as propter management of relations with authorities, control bodies and third public bodies related to particular requests, to fulfil legal obligations or other procedures.

B.With regards to data conferred voluntarily by the user: allow Triboo to perform any activity related (also preliminary) to the sale of products requested by the User, including fulfilling tax (e.g. VAT free, if foreseen), administrative-accounting obligations (among which, for example, invoicing, historic records, credit recovery – also implemented through factoring, credit insurance, credit transfer, etc.) and identify the consumer characteristics of the professional and/or client company, completing his request to purchase products through the Site; or fulfil his request of supply of other added value services related to the purchase of products. Allow Triboo to manage treasury activities relating to the contract (with relative processing -pursuant to laws – of bank details and/or other payment data, including potential identification details of credit or debit cards), pursuant to the Contract terms and conditions and/or other specific conditions set forth by the contract. Allow Triboo to implement measures aimed at protecting against the credit risk, including activities that identify the Client and his financial solvency. Allow Triboo to fulfil legal, accounting, tax, administrative and contract obligations related to the supply of the requested services, and proper management of relations with authorities, control bodies and third public bodies for scopes related to particular requests, to the fulfilment of legal obligations or other procedures. Unless the User grants specific and optional consent to Triboo for the processing of his data for additional scopes, the User's personal data will be used by Triboo exclusively to verify the User’s identity (also through validation of the email address), thus avoiding any frauds or abuses, and to contact the User for mere service reasons. Personal data are necessary to attain the processing scopes set forth by this point B. They are indicated with an asterisk in the Site registration form.

C. Exclusively upon your free, specific and separate consent (pursuant to art. 7 GDPR), allow Alberta Ferretti to perform market researches and analyses aimed at identifying the customer satisfaction level concerning the quality and type of the services rendered and initiatives to improve the services, and also to send you newsletters, advertising material and/or communications and information of business and direct marketing nature concerning new products sold and new services offered by Alberta Ferretti or third parties (among which, also other Group’s companies) and also on relative offers, discounts and any other promotional and customer loyalty initiative reserved to you. The above can take place through traditional contact systems (by regular mail or calls through operator) and also by using automated calling or call notification systems without operator, or by email and/or SMS (Short Message Service). Should you deny consent, you can still register to the Site and/or purchase products on the Site. If the User grants consent, he can revoke it at any time, by sending a request to Alberta Ferretti according to the methods set forth by following par. 10. Moreover, the User can easily object further transmissions of promotional notices via email by simply clicking on the relative link to revoke consent, which is available in each promotional email. If consent is revoked, Alberta Ferretti will send an email to the user to confirm revocation. Should the User intend to revoke his consent to the transmission of promotional notices by phone, continuing nonetheless to receive promotions via email or vice versa, he is invited to send a request to Alberta Ferretti according to the methods set forth by following par. 10.

Alberta Ferretti informs that the User may still continue to receive some additional promotional messages after exercising the right to object to the transmission of promotional notices via email, due to technical and operating reasons (e.g. contact lists completed just before the Partner receives the revocation request). If the User continues to receive promotional messages after 24 hours from exercising the revocation right, he is invited to notify the issue to Alberta Ferretti using the contact details set forth by following par. 10.

D. Exclusively upon your free, specific and separate consent (pursuant to art. 7 GDPR), allow Alberta Ferretti to process your data to suggest functions, products and services of your interest, to identify your preferences and customize your experience, to show you ads defined according to your interests in relation to the functions, products and services that may be of your preference; moreover, always upon your free, specific and separate consent (pursuant to art. 7 GDPR), allow Alberta Ferretti to use your personal data to evaluate certain aspects referring to you and in particular, to analyze or forecast aspects concerning your professional performance, economic situation, health, personal preferences, interests, solvency, behavior, location or movements.

Upon your free, specific and separate consent, allow Alberta Ferretti to analyze and elaborate information aimed at creating homogenous groups in terms of tastes and behaviors – so called ‘profiles’ – functional to identify the single user or, more often, a group of users or the terminal from which the user connects, to provide a customized offer of additional or related goods or services. Should you deny consent, you can still register to the Site and/or purchase products on the Site. If the User grants consent, he can revoke it at any time by contacting Alberta Ferretti according to the methods set forth by following par. 10.

3. Processing methods

Your personal data will be processed by means of the operations set forth by art. 4, no. 1) GDPR and more precisely: data collection, registration, organization, structuring, preservation, adaptation or modification, extraction, consultation, use, communication through transmission, disclosure or any other form available, comparison or interconnection, limitation, erasure or destruction.

The acquired data are processed in full compliance with laws, as well as principles of legality, uprightness, transparency, non-excess and protection of your privacy and rights.

Data of minor subjects will not be processed. Upon Users’ request, the Data Controllers will promptly erase all personal data unintentionally collected concerning subjects under 18 years old.

4. Data preservation period

The Controllers store Data in full compliance with local laws and internal corporate policies and procedures, for the time required to fulfil the afore-cited scopes and satisfy their legitimate business interests, juridical obligations or establish, exercise or defend legal rights. Once the need to store Data for the abovementioned scopes has been fulfilled, the data will be safely eliminated.

In particular:

- the data required to conclude and exclude the sale contract of Products in favor of the User will be preserved until all administrative-accounting formalities are fulfilled. Invoicing data will be preserved for ten years from the invoice date.

- data collected for marketing scopes are preserved until the service is terminated or the user objects processing by revoking the consent.

- Data collected for profiling scopes intended for marketing purposes are preserved until the user requests the interruption of the activity and anyhow, within 2 years from the last user’s interaction of any sort, with Alberta Ferretti

- Data collected for purposes of sending newsletters are preserved until the service is terminated or the user objects processing by revoking the consent.

- Data collected for purposes of managing services of the registered User are preserved until the service is terminated or the user objects processing by revoking the consent.

In all other cases, the Users’ personal data will be preserved for the times strictly required to attain the primary scopes set forth by previous par. 2, point B, or anyhow, as needed to protect the interests of Users and Triboo in a potential trial.

5. Legal principles for data processing

The afore-cited Data shall be processed to allow you browsing the Site and execute your requests (among which, the request to purchase products based on your purchase order sent to the Data Controller and/or anyhow by signing the Contract stipulated with the latter). If necessary, the user’s express consent will be collected for specific scopes.

Data processing for marketing scopes is allowed according to the free circulation of data as set forth by the GDPR and may consist of activities carried out to satisfy the legitimate business interests of the Data Controller, among which potential business development activities (e.g. marketing, customer satisfaction etc.) performed by the latter.

6. Data disclosure, diffusion and access

Your data can be accessed, for the afore-cited purposes, by:

• the Controllers, employees and collaborators in Italy and abroad, in their quality of internal data processors and/or sub-processors / subjects in charge of data processing and/or system administrators;

• by other Companies of Alberta Ferretti Group (parent companies, subsidiaries and/or affiliated companies) in Italy and abroad and their employees and collaborators (e.g. for administrative and accounting scopes);

• couriers or shipping companies to manage any activity aimed at delivering the products to the Client;

• by agents, business brokers, representatives, contractors and any other subject operating on behalf of the Data Controller;

• by other third companies or other subjects (for example and not limitedly to, credit institutions for handling payments and collections, financial brokers, credit insurance companies, professional offices, consultants, etc.) that perform outsourced activities on behalf of the Data Controllers in their quality of external data processors, among which suppliers or subjects appointed to execute additional or instrumental services in relation to the afore-cited scopes, with whom the Data Controllers stipulate agreements.

Moreover, the Data Controllers reserve the faculty to share personal data with certain third parties, among which: IT providers in order to develop systems and provide technical assistance; auditors and consultants to verify conformity with external and internal requirements; certifying bodies; legal bodies, agencies in charge to enforce law and parties summoned in trial with regards to legal informative obligations or claims; any successors or business partners of the Data Processors or a company of the Data Processors’ Group in case of sale, transfer or other extraordinary transactions; the police, the armed forces and other public administrations to fulfil obligations set forth by laws, regulations or EU legislations.

Should said subjects be located in extra-EU countries, the Data Controller ensures that the extra-EU Data transfer will take place in compliance with applicable laws, prior stipulating standard contract clauses foreseen by the European Commission.

The Users boast the right to obtain a list of data processors appointed by each Controllers, by sending a request to the concerned Data Controller according to the methods set forth by following par. 10.

7. Data Transfer

Data will be preserved on servers located inside the European Union. It is anyhow agreed that the Data Processor, if necessary, has the faculty to share the data also with other Group’s companies and/or transfer Data also to extra-EU countries; in this case, the Data Controller ensures since now that the transfer of data outside the EU will take place in compliance with applicable laws, prior stipulating standard contract clauses foreseen by the European Commission.

The Data Controller will apply all the necessary protective measures to said data transfers as set forth by applicable privacy laws.

8. Nature of Data conferment and consequences for non-conferring Data

Data conferment for the scopes set forth by art. 2 “A.” is optional but required to browse and access the various Site functions and allow proper navigation.

Data conferment for the scopes set forth by art. 2 ”B.” is also optional but necessary to allow Triboo to execute your requests.

Data conferment for the scopes set forth by art. 2 ”C.” is optional and not required to browse and access the various Site functions and/or purchase products through the Site. Hence, you can decide not to confer any data or deny the possibility to process the data already conferred, afterwards: in this case you will not be able to receive the requested information, newsletters, business notices and advertising materials concerning the services offered by the Data Controller.

Data conferment for the scopes set forth by art. 2 ”D.” is optional and not required to browse and access the various Site functions and/or purchase products through the Site. Hence, you can decide not to confer any data or deny the possibility to process the data already conferred, afterwards.

9. Rights of data subjects

In your quality of data subject, you boast the rights set forth by art. 13, par. 2, letter b), c) and d), 15, 16, 17, 18, 19 and 21 GDPR and more precisely the rights to:

• obtain confirmation of the existence of your personal data, even if not registered yet and their communication in intelligible form;

• obtain indication: a) of the Data origin; b) processing scopes and methods; c) logic applied in case of processing executed with the aid of electronic tools; d) identification details of the relative Data Controllers, the Data Protection officers, processors and appointed representative pursuant to art. 3, par. 1, GDPR; e) subjects or categories of subjects to whom Data can be disclosed or may become aware of in quality of representative appointed in the territory of the State and data processors;

• obtain: a) Data update, rectification or, if needed, integration; b) erasure, transformation in anonymous form or block of personal data processed in breach with laws, including data that are not required to be stored in view of the scopes for which it was collected or subsequently processed; c) indication that the transactions set forth by letters a) and b) were disclosed, in term of their content, to those subjects to whom data were communicated or diffused, unless said obligations cannot be fulfilled or imply the use of means manifestly disproportionate compared to the protected right;

• object, fully or in part: a) for legitimate reasons, to the processing of your personal data, even if related to the collection scopes; b) to the processing of your personal data for purposes of sending advertising or direct sale material or to execute market or business communication researches, using automated calling systems without operator or via email and/or through traditional marketing methods by phone and/or regular mail. Please note that the objection right of the data subject, exercised in accordance to previous point b), for direct marketing scopes through automated methods, is extended to traditional methods and anyhow, the data subject reserves the faculty to exercise the objection right even partially. Hence, the data subject may decide to receive notices only through traditional methods or only automated notices or none of the two communication types;

• if applicable, you also boast the rights set forth by art. 16 - 21 GDPR (Rectification right, right to be forgotten, right to limit processing, right to data portability, objection right) and the right to bring forward a claim to the Data Protection Authority;

• revoke your consent potentially granted, at any time.

10. Methods to exercise your rights

You can exercise your rights at any time or send a request as follows:

• by registered letter with return receipt, at the legal address of the Data Controllers

Information concerning the categories of Data processors are available at the legal address of the relative Controller and can be requested by the User according to the methods and contact details indicated above.